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Defective images within this document are accurate representations of 
the original documents submitted by the applicant. 

Defects in the images may include (but are not limited to): 

• BLACK BORDERS 

• TEXT CUT OFF AT TOP, BOTTOM OR SIDES 

• FADED TEXT 

• ILLEGIBLE TEXT 

• SKEWED/SLANTED IMAGES 

• COLORED PHOTOS 

• BLACK OR VERY BLACK AND WHITE DARK PHOTOS 
• • GRAY SCALE DOCUMENTS 



IMAGES ARE BEST AVAILABLE COPY. 



As rescanning documents will not correct images, 
please do not report the images to the 
Image Problem Mailbox. 



EXHIBIT B 

System. Firewall. P licy.P licyC nditi n 

inamespace System Firewall . Policy - ~ 

'{ ' 

public abstract class PolicyCondition : PolicyObject 

! public abstract bool Equals (PolicyCondition condition) ; 

i public abstract bool Intersects (PolicyCondition condition) ; 

! : public abstract bool Contains (PolicyCondition- condition) ; 



! 




1 Method 


Name 


Equals 


Return Type 


Bool 


Description 


Return true if all packets that match this PolicyCondition object also 
match the passing argument condition and vice versa. Otherwise 
return false. 


Parameters 


PolicyCondition cond 




Method J 


Name 


Intersects 


Return Type 


Bool 
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Descripti n 


Return true if there are packets that match this PolicyCondition object 
also match the passing argument condition. Return false if there is no 
such packet. 


Parameters 


PolicyCondition 




Method | 


Name 


Contains 


Return Type 


Bool 


Description 


Return true if all packets that match the passing argument condition 
also match this PolicyCondition object. Otherwise return false. 


Parameters 


PolicyCondition 
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System. Firewall. Policy. EthernetConditi n 

namespace Syitem7FlrewaiT. Policy "~ """ ~ " 

{ ' ' '.\--h: ... 

I public abstract class LinklayerCondition : PolicyCondition 

\ < • ■■ ■ ' . '. ■ " 

; public enum LinkLayer 

I - . .-. .; ,.. ... , ' .••'=.:• * .. .... ; ^ i : ■ . T i.' ■ ' / ' '• '' 

j. InboundTop, 

!•> ■:• , / ' . ' : r • " Hsv .. ■ 

j; OutboundTop, 

|: "';;> ; ' InboundBottbm, • : • >V; 

I; ' OutboundBottorrr %, • ir -' 

[:;-,'■ /> : ' V " " . . - " . ; .'.V, 

j. ' ' • // Properties t> / 
public LinkLayer Layer { get {} set { }, } 

public class EthernetCondition PolicyCondition 
I ' < ■ . 

r ? ,-public, MACAddressValue , SourceMACAddress { get { } set { } } 
j , ; public MACAddressValue ;DestinationMACAddress ,{ get .{. ,} set { } 

public EthernetConditionO ; 

public EhternetCondition (LinkLayer layer, MACAddressValue src, 
; public override bool Equals ( PolicyCondition val) ; 

: public, override bool Intersects (PolicyCondition; val) ; 

' public override bool Contains ( PolicyCondition val) ; : ; • v- v 
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Specify where this link layer rule will be applied: 

• InboundTop: This layer is called after 
each received packet has traversed all 
other NDIS light weight filter shims. 
On the receive path, this is the last 
chance to filter a data-link packet 
before it is delivered to the network 
layer for processing. 

• OutboundTop: This layer is called before 
each sent packet has traversed any other 
NDIS light weight filter shims. On the 
send path, this is the first chance to 
filter a data-link packet before it is 
processed by other NDIS light weight 
filters. 

• InboundBottom: This layer is called 
before each received packet has 
traversed any other NDIS light weight 
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filter shims. This layer is the first 
opportunity to filter a received packet. 




• OutboundBottom: This layer is called 
after each sent packet has traversed all 
other NDIS light weight filter shims. 
This layer is the last opportunity to 
filter a sent packet. 


Access 


Read/Write 




Property 


Name 


SourceMACAddress 


Description 


This value is used to match the source 
MAC address field in the Ethernet header. 


Access 


Read/Write 




Property 1 


Name 


DestinationMACAddress 


Description 


This value is used to match the 
destination MAC address field in the Ethernet 
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header. 


Access 


Read/Write 
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System. Firewall. P licy.IPC ndition 

namespace System. Firewall .Policy 
{ 

public class IPCondition : PolicyCondition 

• ( ..: \,. 

. public enum IPLayer { 

InboundlPPacket, 

j 

OutboundlPPacket, 
: Inboundl PFr agmerit , 

; OutboundlPFragment, 
; ■ IPForward 



r •••• , }; ../I 

* v^.-.V pMS^M-.^ public ; IPLayer Layer ; { get { } set ;{ j 




f : ; • - >. - . public IPAddressValue, DestinationAddress { get { } set { } } 

i„ .;; public ByteValue Protocol { get { } set { } } 

!•••-• •• public UIntl6Value PacketLength { get { } set { } } 

j' public Networklnterface Interface { get { } set { } } v 

vi- ; , 7/ I There may "be more conditions to be exposed by the firewall 

(platform. ' * ^ " - > 

L public IPCondition () ; 

public IPCondition (IPLayer layer, IPAddressValue src,dst, ByteValue 

!,,,..; • • ,4. ' ^ . prqt) ; . ' M. : y " v v; : -. : ■ : , , . ; 

: ; /.public override bool Equals (PolicyCondition condition) ; 

j , , ' public override bool Intersects; (PolicyCondition. condition);;, 

, public override bool Contains (PolicyCondition condition) ; 

'}; ' * l-'^Ji ■ : ■ ; j: . , : : 1 /■ . H . r 

j,- ^ : - :•. . - . ♦>;•*• -•■=. ■.- : ■ ■ 
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The IP Address class is taken from System.Net namespace. It support both v4 and v6 
IP Addresses. However, for one particular condition, all the condition fields have to be 
interpreted in the context of one address family. In other words, it will raise a runtime 
exception if the source address is a v4 address but the destination address is a v6 address. 



Property 




Description 



The specific IP layer at which this condition is to be applied. The 
possible IP layers are as following: 



• InboundlPPacket : This layer is called 
after a just after the IP header has 
been parsed and just before any header 
processing takes place on received IP 
packet. IPSec decryption and reassembly 
will not have occurred at this point. 



• OutboundlPPacket : This layer is called 
just before a sent packet is evaluated 
for fragmentation. By the time this 
layer is called, all IP header 
processing is complete and all extension 
headers are in place. IPSec 
authentication and encryption will have 
already occurred at this time. 
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• InboundlPFragment: This layer is called 
for every received fragment. Non- 
fragmented packets that are received 
will not be called out for this layer. 




• OutboundlPFragment: This layer is called ! 
for every sent and forwarded fragment. 
If a sent IP packet is not fragmented, 
it will not be called out for this 
layer. 




• IPForward: This layer is called for each 
forwarded packet. 


Access 


Read/Write 




Property ] 


Name 


SourceAddress 


Description 


This value is used to match the source address field in the IP header. 


Access 


Read/Write 
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1 Property 


Name 


DestinationAddress 


uescn prion 


This value is used to match the destination address field in the IP 
header. 


Access 


Read/Write 




I Property 


Name 


Protocol 


Description 


This value is used to match the protocol field in the IP header. 


Access 


Read/Write 




j Property j 


Name 


PacketLength 


Description 


This value is used to match the packet length field in the IP header. 


Access 


Read/Write 




Property j 


Name 


Networklnterface 


Description 


Specify the network interface on which this condition will be matched. 
If the layer property is set to be IPForward, it will only match the 
receiving interface of the forwarded packets when the rule direction is 
set to Inbound and the outgoing interface when the rule direction is set 
to Outbound. 
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Access 


Read/Write 
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System.Firewall.P licy.Transp rtC nditi n 

namespace System • Firewall" . Policy 



;{ 



public abstract class TransportCondition : PolicyCondition 



public enum TransportLayer { 
Inbound/ 
Outbound 



i transport layer 



// The following are the conditions that are availabe at the 
// via context. 

Public TransportLayer TransportLayer { get { } set { } } 
public IPAddressValue SourceAddress { get { } set { } } 
P^^ic IPAddressValue , DestinationAddress { get { } set { } } 
public Byte Value Protocol | get f| } set , { } }; f ~- 

// There may be ; mo re conditions to be exposed by the firewall 



[platform. 



j " . protected TransportCondition () ; 

; protected TransportCondition (TransportLayer layer, 
[IPAddressValue srcAddr, IPAddressValue dstAddr) ; 

\ ^ » 

| . public class UDPCondition : TransportCondition 



{ 



public UIntl6ValueSourcePqrt { get { } set { } } 
public UIntl6Value DestinationPort { get { } set { } } 
public UDPCondition ( ) ; 

public UDPCondition (TransportLayer layer, IPAddressValue 
srcAddr, IPAddressValue dstAddr, UIntl6Value srcPort, 
'." UIntl6VaIue dstPort) ; ' 
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public override bool Equals (PolicyCondit ion "val) ; 
public override bool Intersects (PolicyCondition val); 
public override bool Contains (PolicyCondition val); 

: I ; : . . ■■■[■■■■■ & : : k f . r •,• 

public class TCPCondition : TransportCondition 

;• : 11 

[flags! 

; public enum TCPFlags 

, FIN = 1, 

V ^ SYN -2, | " 

' - ACK -16, 

| ! . • " 1 • URG = 32 

r'V " : .•-■}.^^v:; ; - v '-: ; :i;Jl ... . .. . / 

; : ; ' ' • ' • 1 : public .UIntl6Value : SourcePort || get 4 ..} set { } } 

f ■; public UIntl6Value DestinationPort { get { } set { } } 

I;-;.' public .TCPFlags Flags { get {'} set {'}. } 

I" j -\ : // There may be more conditions to be exposed by the firewall 

[platform. 

. : public TCPCondition ( ); 
; public TCPCondition (TransportLayer layer, . IPAddressValue . 

srcAddr, IPAddressValue dstAddr, UIntl6Value srcPort, 
\ - •" ••• • UIntl6Val-ue dstPort) ; : , , 

■■■ ■ public override bool Equals (PolicyCondition val) ; : 
. ..public override bool Intersects (PolicyCondition val); 
public override bool Contains (PolicyCondition val) ; 

public class ICMPCondition :.. TransportCondition 



r : 
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publ i cHByte Value ICMPTy^e { get TT "set" { }" ) 
i public By teValue ICMPCode { get { } set { } } 

// There may be more conditions to be exposed by the firewall 

jplatform. 

! public ICMPCondition (); 

| public ICMPCondition (TransportLayer layer, IPAddressValue 

jsrcAddr, I PAddres s Value ds t Addr , ByteValue icmpType, icmpCode) ; 
!' public override bool Equals (Policyeondition val) ; 

I .., public-over^^ 

i - >. .: • ^ ... r ■.. /■ : -- : ••" .', . '. : 

! . public, override bool Contains (PolicyCondit ion val) ; : ' 

j }; ' .; • • . ■ 

ICMP v6 defines ICMP type and code differently than ICMP v4. The address family of the 
source and destination address determines if an ICMPCondition will be interpreted as ICMP 
v4 or v6. 



Property 


Name 


SourcePort 


Description 


This value is used to match the source port field in the TCP/UDP header. 


Access 


Read/Write 




Property 


Name 


DestinationPort 


Description 


This value is used to match the 
destination port field in the TCP/UDP header. 


Access 


Read/Write 
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J Property 


Name 


Flags 


Description 


This value Is used to match the corresponding bits in the TCP flags field: 
FIN, SYN, RST, PSH, ACK, URG 


Access 


Read/Write 




Property 


Name 


ICMPType 


Description 


This value is used to match the type field in the ICMP header. 


Access 


Read/Write 




Property 


Name 


ICMPCode 


Description 


This value is used to match the code field in the ICMP header. 


Access 


Read/Write 
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System. Firewall. P licy.IPSecAuthorizati nCondition 

jnamespace System. HriwallTPoTicy ' " — " 

! public class IPSecAuthorizationCondition : PolicyCondition 

; public IPSecAuthorizationCondition (Remote Identity RemotelD); 

I,- public Remoteldentity RemotelD, ( get {,};};.!> 

i : "y • ;; <-V' - ; V * :>-:^'7;;^in^; . : '', v'' :; . •', % t^Sf&i ■ * . 

''. ■ public IPAddressValue LocalAddress { get {} set {> } } 

I , public • UIntl6Value LocalPort { get { } set { h } 

f- j public: UIritl6Value Protocol { get { } : set { .} } •■ 

| 1 public IPAddressValue RemoteAddress { get { } set { } } 

| - 'public UIntl6Value RemotePort { get { } set, { } } ^ 



IPSecAuthorizationCondition matches both inbound and outbound packet IPSec context. 
The inspection is assumed to take place right after IPSec authentication completes. If the 
associated action is Permit, then the IP Sec SA will be established and traffic will be secured. 
If the action to take is Deny, no SA will be created and the IPSec main mode negotiation will 
fail. 
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System. Firewall. P licy.Applicati nC nditi n 

namespace System. Firewall TPolicy " ~~ ~ 

; { : /V :: ' : :- 
[flags] 

public enum NetworkAccessFlag 
{ 

Client - 1,1 . 

Server = 2, ' . . ... : 

ClIentAndServer - 3, 
Multicast =4 

; • >• '. n : :. . .; .. : .. ... . . . . 

public abstract class ApplicationCondition : Pol i cyCondi t i on 

public ApplicationlDValue Application { get { } set { } } 
; public IPrincipalValue LocalUser { get { ) set { } } 

.. '. U There may be more conditions to be exposed by the firewall 



Iplatform. 



public Applicat ionGondit ion ( ) ; 



: public ApplicationCondition (ApplicationlDValue app, 
IPrincipalValue luser) ; ... 

^public class AuthorizationCondition : ApplicationCondition ; 

// The following conditions are matched against values passed 



I down .through 



. =. '/■/: winsock calls like connect 'or listen. " 
; i ,. public NetworkAccessFlag { get { }: set ;{ } } • 

public IPAddressValue LocalAddress { get { } set { } }; 
public IPAddressValue RemoteAddress { get { } set { }. } 
public ByteValue Protocol { get { } set { } } 
- 1 public ^ { } } . 

. public: UIhtl6Vaiue RemotePort { get { } set { } } 
| public Remoteldentityyalue RemotelD { : get { } set { } } 

public enum PromiscuousMode • 
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A11IP - 1, 
AllMulticast = 2, 
IGMPMulticast « 3 

} ; . ; .■ • 

public enum ResourceType 



UDEPort, 
TCPPort, 

Raw y V 



, socket case; 



public class' ResourceAssignmentGondition : ApplicaitonCondition 



{ 



pubiic: IPAddressValue Local Address. { get, { ; } ; set { L } . 
// if protocol is not TGP/UDP, this is assumed to be a Raw 

public ResourceType ResourceType { get { } set { } } 
public UIntl6Value ResourceValue { get { } set { } } 
. public .PromiscuousMode PMode, { .Iget { } set { } } 



ApplicationCondition matches the conditions that are exposed by the application layer 
enforcement. This is the main engine for providing application and user based firewall 
policies. 



Property 


Name 


Application 


Description 


This is to match packets that are 1 
generated / received by this application. 
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Access 


Read/Write 




Property 


Name 


Local User 


Description 


This is to match packets that are 
generated / received by this user. 


Access 


Read/Write 
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